Orange Fined €50M for Commercial Prospecting Without Subscriber Consent

Orange Fined €50M for Commercial Prospecting Without Subscriber Consent

Key Takeaways

User consent lies in the heart of data protection. Upholding this principle, the CNIL has fined Orange €50 million for sending advertising messages to its subscribers without obtaining their consent.


The GDPR strengthened the concept of consent of the data subjects for the processing of their personal data, making it a fundamental pillar of data protection. While user consent was already one of the legal bases for processing personal data prior to the GDPR, its definition was further refined to solidify its role as a legal foundation for processing. (1)

In line with this principle, the CNIL recently imposed a €50 million fine on Orange for two key violations: i. sending advertising messages to subscribers without their consent, and ii) continuing to process cookies after users had withdrawn their consent. (2)


1. Commercial Prospecting: Failure to Obtain Subscriber Consent

During two rounds of online inspections conducted in June, and in July and November 2023, the CNIL agents discovered that advertising messages were displayed in the inboxes of Orange’s “Mail Orange” users without their prior consent. These advertisements, resembling ordinary emails and appearing among users’ personal emails, fell under the scope of regulations governing direct marketing.

This practice violated Article L.34-5 of the French Postal and Electronic Communications Code (CPCE) and Article 82 of the French Data Protection Act (Loi Informatique et Libertés). (3)

The CNIL’s interpretation relied on the November 25, 2021, decision by the Court of Justice of the European Union (CJEU). In this decision, the CJEU clarified that under the E-Privacy Directive of July 12, 2002, the use of emails for direct marketing is permitted only if the user is clearly and precisely informed about how such advertisements will be delivered and has given specific and informed consent to receive such advertising messages. (4)

Furthermore, displaying advertisements among personal emails constitutes a form of using email services for marketing purposes.

Orange argued that these advertisements were technically distinct from the users’ emails and that the responsibility for obtaining consent rested with the advertisers.

However, the CNIL dismissed this claim, emphasizing that Orange, as the provider of the email service, had direct control over the display of these advertisements. Consequently, Orange was responsible for ensuring compliance with commercial prospecting regulation (although this does not absolve advertisers of their own compliance obligations).


2. Cookies: Failure to Inform Subscribers and Cease Reading Cookies After Consent Withdrawal

Under Article 82 of the French Data Protection Act, placing cookies on a user’s device requires providing clear, comprehensive, and prior information, as well as offering the user the opportunity to oppose their placement. (5)

During its inspections, the CNIL found that cookies continued to be read even after users had withdrawn their consent. These included cookies with advertising and statistical purposes which were shared with Orange’s partners, in violation of the French Data Protection Act.

Orange argued that managing cookie consent withdrawals was technically complex and claimed that the cookies in question were not being exploited. The company, however, committed to implementing corrective measures.

The CNIL emphasized that the placement and use of cookies require user consent, which must remain revocable at any time. Once a user withdraws consent, all reading of cookies must cease immediately. This obligation extends to third-party cookies, making Orange responsible for ensuring the compliance of its commercial partners.

The CNIL dismissed Orange’s argument that the cookies were no longer exploited, asserting that the continued reading of cookies after users had withdrawn consent constituted a violation, regardless of whether the data was actively utilized.


3. Criteria for Determining the Fine Amount

The criteria used to establish the amount of the administrative fine were particularly detailed, taking into account the following factors:

    - Severity of the Violations : the CNIL first assessed the nature, gravity, and duration of the violations to determine the fine.

The following aspects were particularly significant: the intrusive nature of the practice (such as embedding advertising messages among users’ personal emails), the number of users affected (as France’s leading internet and mobile operator, Orange’s email service reportedly serves approximately 8 million subscribers), and the duration of the violations.

The infringement related to cookie reading after consent withdrawal impacted anyone visiting Orange’s website, which receives 23.5 million unique visitors per month, with approximately 21,000 monthly consent withdrawal requests.

The absence of user consent for commercial prospecting and the non-compliant use of cookies constitute violations of fundamental rights.

    - The Company’s Market Position : Orange is a major global telecommunications provider and France’s historic telecommunications operator.

Given that consent requirements have been in place for several years, the CNIL stressed that Orange, considering its market position and resources, should have exercised heightened diligence to ensure compliance with data protection regulations.

    - Cooperation and Corrective Measures : while Orange eventually discontinued the contested advertising practices and implemented a new commercial prospecting format, the CNIL noted that these actions were taken only after its inspections. The measures were deemed too late and insufficient to mitigate the penalty.

    - Deterrence : according to the CJEU, the calculation of the maximum fine should be based on the company’s global revenue, even if the violations are geographically limited. The fine must reflect the significance of personal data protection and serve as a deterrent to future violations.

In 2023, Orange reported €44.1 billion in revenue and a net profit of €2.9 billion. Considering the company’s responsibility, financial capacity, and the criteria under Article 83 of the GDPR, the CNIL set the fine at €50 million, deeming it both dissuasive and proportionate.


     Commercial prospecting is strictly regulated: on one hand, registrations can only be carried out based on the effective consent of individuals (“opt-in”); on the other hand, registration forms must follow a clear and transparent format. (6) Compliance with regulations primarily falls on advertisers but also extends to the entire chain of participants, i.e. subcontractors, involved in the prospecting operation. It is therefore essential to ensure that contracts among all parties are drafted with the utmost care.

Feel free to contact us for assistance in ensuring compliance with your online marketing operations.

* * * * * * * * * * * *


(1) Consent is defined under Articles 4 and 7 of the GDPR. It must be “freely given, specific, informed, and unambiguous.”

(2) CNIL Deliberation SAN-2024-019, November 14, 2024 (in French)

(3) Article L.34-5 of the French Postal and Electronic Communications Code (CPCE) transposes into French law the rules governing the use of automated calling systems, non-human communication systems, and email for direct marketing purposes, as defined by Directive 2002/58/EC of July 12, 2002, concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications or “ePrivacy Directive”).

(4) CJEU, 3rd Ch., November 25, 2021, StWL Städtische Werke Lauf a.d. Pegnitz GmbH, Case C-102/20.

(5) Exceptions to cookie regulations apply to cookies whose sole purpose is to enable or facilitate electronic communication or those strictly necessary for the provision of an online communication service explicitly requested by the user.

(6) See our article, “Commercial Prospecting: The CNIL Confirms Its Position on Data Collection and the Reuse of Prospect Files.” (in French)


Bénédicte DELEPORTE
Avocat

Deleporte Wentz Avocat
www.dwavocat.com

January 2025

Go back to News and Publications

Mots clés :

advertising (1) ai (15) arcep (3) arcom (7) artificial intelligence (6) audiovisual (1) blockchain (5) children (3) cjeu (2) cloud computing (2) cnil (12) communication (8) compliance (13) confidentiality (1) consumers (1) contract (3) cookies (4) copyright (3) cross-border data transfers (4) cybercrime (2) cybersquatting (1) data privacy (9) data privacy framework (2) database (1) domain names (2) dpf (2) drones (1) e-commerce (9) employee (2) encryption (1) eu (8) europe (6) france (8) gdpr (21) general data protection regulation (5) indexing (2) information technology (3) intellectual property (7) internet (27) ip (4) liability (4) nft (3) privacy (6) privacy shield (2) regulation (1) robotics (5) safe harbor (2) search engines (2) security (3) singapore (3) social media (3) software (3) tax (1) trademark (1) uas (1) unmanned aircraft (1) us (2) video game (2)